Re: [Django] #25705: Parameters are not adapted or quoted in Query.__str__

Fri, 12 Jul 2024 07:18:36 -0700 

#25705: Parameters are not adapted or quoted in Query.__str__
-------------------------------------+-------------------------------------
     Reporter:  Dmitry Dygalo        |                    Owner:  Alex
         Type:                       |                   Status:  assigned
  Cleanup/optimization               |
    Component:  Database layer       |                  Version:  dev
  (models, ORM)                      |
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  1                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Simon Charette):

 My concerns with fixing this issue related to comments such as comment:5

 > It seems to me an experience Django coder could fix this in minutes and
 that there should be a regression test for this kind of code:
 >
 > {{{
 > qs=model.objects.somequeryset
 > sql=str(qs.query)
 > raw_qs=model.objects.raw(sql)
 > }}}

 We absolutely don't want to support this pattern in a context where we
 can't guarantee that the proper quoting is performed on all supported
 backends as that might result in SQL injection problems. In this sense I
 think that it's a good thing that `qs.query` doesn't even attempt to
 perform the proper quoting to make it clear it should not be used for this
 purpose.

 I'd much rather see us document `sql.Query.sql_with_params(using: str =
 DEFAULT_DB_ALIAS)` which could be used as

 {{{#!python
 sql, params = qs.query.sql_with_params()
 model.objects.raw(sql, params)
 }}}

 over spending time trying to dangerously emulate parameters quoting.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/25705#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070190a74f450c-c61fb109-2676-4e64-abe2-3862771ff849-000000%40eu-central-1.amazonses.com.

Reply via email to